Smart Band and Smart Watch Hacking

Idea & Introduction

Hello, myself Indranil. I am an IT employee more particularly an Ethical Hacker. I also provide training in various IT domains. I love playing with codes and with systems. I travel through Shuttle cars and public buses.

The trending and interesting thing, which I have found while traveling is a smart band or a smartwatch on everyone’s wrist. I found a keen interest in that. No, not to feel trendy of course!

But I also intended to buy and wear one. Can you guess why? To hack it and to play with it! After all, I am an Ethical Hacker…

Thus, the idea got into my head and it started weaving its plan to implement it! Being a trainer gave me an upper hand here. I shared my idea with one of my students, Sampat Banerjee, who is an Ethical Hacking enthusiast and has a deep interest in different aspects of hacking.

Being an enthusiast, he couldn’t control his emotions when I ask him “Are you interested to work on hacking the Smartwatches and band?”, and shouted out loud “YES SIR”.

And we both got started on the project. The implementation started in real life.

We will look into the technical part of this project with some visuals from the successfully implemented project. Here in this blog, we will discuss hacking MiBand3. Let’s get started then…

How MiBand3 works:                     

Different functionalities:

MiBand is a smart Band which hhasa touchscreen display, heart rate monitor, charging Port ,and a button. A charging cable is also available to charge it. The User has to install the MiFit app on their mobile. QR Scanner is given to the user to make a connection between the user’s mobile and the band. This connection is also known as a pairing that is nothing but through Bluetooth.

After the pairing is established then the notifications like incoming calls, date time, heart rate this data will be displayed on the Smart Band and all data will be transferred to the smart band through Bluetooth only. The fun stuff is here.

While I have gone through this whole process, then I have found that if I can transfer my data on the smart band then it will a real fun. Now here the data transfer takes place through Bluetooth protocol.

I had little knowledge of this protocol, but with a great interest in executing the idea, I started learning Bluetooth how it works and throughout. Then After a week I was confident enough that yeah let’s start, now how from which point, we will go to that part but first thing first. Let’s understand a few aspects of Bluetooth and its types.

How Bluetooth works and its types:

Bluetooth is a type of radio that operates at high power over short distances. It transmits information in a similar way you receive sound to your radio or information over wifi. In binary (1s & 0s) format the data is transferred & in radio waves form it travel through space like light. The device receiving the Bluetooth signal has an antenna built-in where these radio waves got hit, then because of this hit the electrical current got generated and which the device will read as the original binary information.

Bluetooth has two major classes, Bluetooth Classic and Bluetooth Low Energy (BLE).

1. Product having classic Bluetooth needs a constant flow of data and was designed for two-way data transfer with high application throughput.
2. Bluetooth low energy is the latest Bluetooth standard that does what it says and use less power. Low usage of power is more important to save battery for some devices which are connected like a headset and also cell phone as it has smaller batteries and still has to charge the cell phone for other thing is uses energy for. So, it can result in saving device charge for long.

Bluetooth protocols:

Controller stack: –

• Synchronous Connection-Oriented (SCO) link
• Link Management Protocol (LMP)
• Asynchronous Connection-Less [logical transport] (ACL)
• Low Energy Link Layer (LE LL)
• Host Controller Interface (HCI)

Host stack:-

• Bluetooth network encapsulation protocol (BNEP)
• Radiofrequency communication (RFCOMM)
• Service discovery protocol (SDP)
• Logical link control and adaptation protocol (L2CAP)
• The Telephony control protocol (TCS)
• Low Energy Security Manager Protocol (SMP)
• Audio/video control transport protocol (AVCTP)
• Audio/video data transport protocol (AVDTP)
• Low Energy Attribute Protocol (ATT)
• Object exchange (OBEX)
• Attribute Protocol (ATT)

ATT protocol:-

Out of all these the only thing that was essential was the ATT protocol.

• Attribute Protocol (ATT) is a protocol that presents in BLE and it defines the representation of data in a BLE server database and the way how that data can be read or written.

Authentication Bypass:

To bypass the authentication of miband3, we had to check the log files for the ATT protocol request that go the handle that represents Anhui Huami Information Technology Co, it’s a Company that makes Smart wearable devices and that it owns the Xiaomi brand.

The authentication bypass steps are: –

1. By sending 2 bytes request an auth notification is set for getting a response.
2. By sending 16 bytes encryption key with command and also appending to it 2 bytes to the Char.
3. Random Key is requested from the device by sending 2 bytes with command
4. Receive Random Key from the response of the device
5. Using the AES/ECB/NoPadding encryption algorithm Random Number with 16 bytes key which is encrypted.

TRIAL Error and Success:

At first, we tried to show a notification popup on the Mi-band but it wasn’t working as we didn’t know which handle or UUID was for notification. We started to use the trial-and-error method but we were constantly failing, and then we realized that we needed to authenticate our device. We were also failing to understand why the random authentication key is not working properly, after lots of attempts we figured out that we need to encrypt the random authentication key with a 16 bytes key using the AES/ECB/NoPadding encryption algorithm.

We also had to try with numerous amounts of unknown hexes and figure them out via multiple trials and error methods. All the efforts to successfully find out the byte value will be supported by the miband3 alert & call notification.